none
Lync 2010 - External Voice calls do not complete - "Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote"

    Question

  • We have Lync 2010 setup at work and external users can IM, Video, and Share files, desktop, etc... The only piece that is not working is voice.

    I have done packet traces, sip traces, and logging on the client and cannot find the cause, please let me know which log files you might need to see.

    This is the only error message that I have really been able to pin down:

    ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CallerMediaDebug="audio:ICEWarn=0x80012b,LocalSite=x.x.x.x:16840,LocalMR=y.y.y.y:3478,RemoteSite=z.z.z.z:55521,RemoteMR=w.w.w.w:59305,PortRange=1025:65000,RemoteMRTCPPort=59305,LocalLocation=1,RemoteLocation=2,FederationType=0"

    Thanks!

    Bob

    Friday, October 15, 2010 3:17 AM

Answers

  • We figured it out as it applies to our setup last night. We previously didn't have an internal dns entry for av.involta.com that pointed to the public IP address for it. Because that didn't exist, the front end was trying to talk out directly through the firewall. We also added the av public IP address to the NAT enabled IP address field on the edge server general section. As soon as we published, reran the deployment wizard on both the front end and edge, works like a champ. Hope that helps!
    • Proposed as answer by yeahbuddyia Tuesday, January 11, 2011 5:23 PM
    • Marked as answer by Ben-Shun Zhu Wednesday, January 26, 2011 3:34 AM
    Wednesday, January 05, 2011 5:14 PM

All replies

  • HI, please confirm certificates, ports and network connectivity are works fine on edge server ,or would you please enable logging on both MOC and Edge server during Audio test failure then paste errors up here for narrow down the issue.

    And make sure the ports and software are not be interfered by Firewall or Antivirus.


    Best regards,
    Friday, October 15, 2010 10:13 AM
  • When it breaks:

    10/15/2010|09:43:59.017 1070:1074 INFO  :: Sending Packet - 72.50.230.243:443 (From Local Address: 10.0.0.214:51956) 1414 bytes:

    10/15/2010|09:43:59.017 1070:1074 INFO  :: BYE sip:invmaocsvm01.involtadc.local@involta.com;gruu;opaque=srvr:MediationServer:j95tfsQns1SJPmQCLBmKJQAA;grid=6be3895740704756becd4835abf3a6f3 SIP/2.0

    Via: SIP/2.0/TLS 10.0.0.214:51956

    Max-Forwards: 70

    From: <sip:jward@involta.com>;tag=81082ce6b2;epid=8371fd6545

    To: <sip:93192132014;phone-context=defaultprofile@involta.com;user=phone>;tag=6261e5e284;epid=8BF6B67ACE

    Call-ID: 576b29afdcdb453dae40fe02c64f82b0

    CSeq: 3 BYE

    Route: <sip:sip.involta.com:443;transport=tls;opaque=state:Ci.R50a00;lr;ms-route-sig=cboYWBFnyyKCivHBU9wrNiqDO8wOwZE86vDqGIZ9WXauj3rMwc1hwU_gAA>

    Route: <sip:invmaocsvm01.involtadc.local:5061;transport=tls;opaque=state:F;lr;received=10.128.10.57;ms-received-cid=2BA02>

    User-Agent: UCCAPI/4.0.7457.0 OC/4.0.7457.0 (Microsoft Lync 2010 (RC))

    ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CallerMediaDebug="audio:ICEWarn=0x80012b,LocalSite=10.0.0.214:19766,LocalMR=72.50.230.245:3478,RemoteSite=10.128.10.57:53045,RemoteMR=10.128.11.36:59699,PortRange=1025:65000,RemoteMRTCPPort=59699,LocalLocation=1,RemoteLocation=2,FederationType=0"

    Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0ADD0480", targetname="invmaocsvm01.involtadc.local", crand="4f54e6d7", cnum="29", response="3097f05673e4e6ad0a790408c6feb521da55bdf8"

    Content-Length: 0

     

     

    10/15/2010|09:43:59.018 1070:1074 INFO  :: End of Sending Packet - 72.50.230.243:443 (From Local Address: 10.0.0.214:51956) 1414 bytes

     

    Friday, October 15, 2010 3:29 PM
  • Also, I did a packet trace on the client machine and it appears that it is talking to my public av edge ip up until the receiver of the call answers and then the external client tries to start talking to the FE directly (via private IP's) which are not routable.

    Bob

    • Proposed as answer by hassanb-WWF Wednesday, July 31, 2013 9:53 PM
    Friday, October 15, 2010 3:38 PM
  • HI, by searching of this problem, that may be IPSec mismatch is causing call disconnects for off corp user only on external calls, is Either IPSec is enabled on both sides or exemptions on both sides for IPSec to work fine. would you please check?


    Best regards,
    Monday, October 18, 2010 2:56 AM
  • I have double checked and we do not have IPSec enabled on the server. If I VPN into the office everything works again (assuming because I am now able to get to the local IP's).

     

    Thanks,
    Bob

    Monday, October 18, 2010 2:06 PM
  • I just did some further looking (at firewall and packet sniffers) and found that when I make a voice call from outside the network everything starts off by going to the AV service, but once the call gets answered it switches to the Front End server trying to talk directly to the external client, which breaks as no firewall rules allow for this traffic to come back from the client to the server.

    Client IP (udp/32683) -> Firewall IP (udp/23819)
    Firewall IP (udp/13894) -> Client IP (udp/32682)

    We use the IP of the firewall as the global NAT (any server that does not have a static NAT appears as this IP).

    Thanks,
    Bob

    Monday, October 18, 2010 5:55 PM
  • I have done some further digging and on the admin site, if I go to:

    Topology -> Double Click on Edge Server -> Double Click on EdgeServer service

    I see taht "Audio/Video Edge service external FQDN:" and "Internal interface FQDN:" are both "Not set" and I wonder if this could be causing my issue? If so where would these get set at?

    Thanks,
    Bob

    • Proposed as answer by Jake Marzofka Monday, August 20, 2012 6:46 PM
    • Unproposed as answer by Jake Marzofka Monday, August 20, 2012 6:46 PM
    Monday, October 18, 2010 8:53 PM
  • Hi, "Internal interface FQDN:" should be the FQDN of Edge server, and "external FQDN of A/V Edge service:" should be set for A/V external FQDN which you are going to publish, would you please try?
    Best regards,
    Tuesday, October 19, 2010 4:28 AM
  • I have been looking through the configuration, where would I publish these?

    THanks,
    Bob

    Tuesday, October 19, 2010 11:13 AM
  • What I mean is the external FQDN that you want to publish to external network (or internet).
    Best regards,
    Wednesday, October 20, 2010 3:26 AM
  • What he's referencing is in the admin panel, Topography > Select the Edge Server to view the properties...this is what we're seeing:

     

    http://imgur.com/ujVGX.png

    • Edited by yeahbuddyia Wednesday, October 20, 2010 3:40 AM link
    Wednesday, October 20, 2010 3:39 AM
  • Hi, Bob, is the problem resolved?
    Best regards,
    Thursday, October 21, 2010 9:43 AM
  • No, the issue still exists, if you look at this screen shot:

     

    http://imgur.com/ujVGX.png

     

    You can see that both of those settings still show up as "Not Set"

    Bob

    Thursday, October 21, 2010 12:36 PM
  • You may configure them and then "publish" on Topology Builder, the settings in Lync control Panel will be changed after replicating was finished.
    Best regards,
    Friday, October 22, 2010 3:15 AM
  • I have the A/V server setup in the Topology Builder, but when I apply it the two settings in the above screen shot do not change from "Not Set". Bob
    Friday, October 22, 2010 10:01 PM
  • Would you please check Edge server configurations in the Topology Builder, but not A/V server; After then pulish again.
    Best regards,
    Monday, October 25, 2010 3:31 AM
  • It still does not appear to be working, when someone external places a call through Lync it appears to start working then stops, here is what I have found through several packet captures:

    External Client places call, goes through edge server to front end

    Once the recipent of the call answers the front end tried to start talking directly to the external client (skipping over the edge, which then breaks the call)

    Please let me know what I can provide to help troubleshoot this.

    Thanks,
    Bob

    Monday, October 25, 2010 9:02 PM
  • I may have the same problem. Currently running OCS R2 including Edge (everything working). Now with separate Lync SE server I cannot use voice from remote user.

    Seems like in Lync there are settings missing or wrong:

    Access edge external FQDN: not set
    A/V Edge service external FQDN: not set

    And ApplicationServer does not start anymore

    Thanks,
    Johann


    Johann Deutinger | MCTS Exchange 2007 / OCS 2007
    Friday, October 29, 2010 9:12 PM
  • I have the exact same issue.

    Any fix so far?

    Regards

     

    JP

    Wednesday, November 03, 2010 2:39 AM
  • Anyone ?

    Ben?

    I know RTM is just couple of days from GA,  but it is really important to finalize the RC deployment...

    Thanks for any help..

    Regards

    JP

     


    JP Breton
    Wednesday, November 03, 2010 7:40 PM
  • Nothing new on our end. We were able to populate those fields by editing the .xml after doing an export config, then re-importing and it still doesn't resolve the issue. 
    Wednesday, November 03, 2010 8:43 PM
  • Hi

    Not sure where you changed those info in the xml file?

    I have search the XML, and did not found any place to change those info.

    Cheers

    JP


    JP Breton
    Thursday, November 04, 2010 1:22 AM
  • Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />

     

    AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />

     

    Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.

    Thursday, November 04, 2010 8:48 PM
  • I have the same problem with RTM build used in coexistence with legacy Edge server and OCS R2 pool. External users always get local IP address in SDP. Any news on that?
    Johann Deutinger | MCTS Exchange 2007 / OCS 2007
    Friday, November 19, 2010 12:07 PM
  • We still have not received any updates about the issue and we are still seeing it as well.

     

    Bob

    Friday, November 19, 2010 9:58 PM
  • I have now changed Voice Route to point to legacy mediation server to bypass new colocated lync mediation server. Semms to work; need some more testing.
    Johann Deutinger | MCTS Exchange 2007 / OCS 2007
    Friday, November 19, 2010 11:10 PM
  • Update you Mediation Server http://support.microsoft.com/kb/968802/en-us. It helped us.
    Wednesday, November 24, 2010 2:50 PM
  • I have done some further digging and on the admin site, if I go to:

    Topology -> Double Click on Edge Server -> Double Click on EdgeServer service

    I see taht "Audio/Video Edge service external FQDN:" and "Internal interface FQDN:" are both "Not set" and I wonder if this could be causing my issue? If so where would these get set at?

    Thanks,
    Bob

    I too am having this same issue, and when I just checked these settings they were also set to "Not set"

    Have you had any luck getting your to work yet?

    Saturday, December 04, 2010 2:44 AM
  • I had a similar issue with my setup and was able to get it working.

    First off all: make sure you NAT ports 50000 - 59999 UDP to your A/V Edge IP and make sure that the NAT IP is correctly configured in Lync.
    The fact that you can share desktop and files means that 50000-59999 TCP is forwarded correctly.

    The difference between the two workloads is that app sharing uses TCP while voice/video is using UDP.  You say video is working fine? Can you do a wireshark trace on the external side of the Edge server and see if there are UDP connections being set up on the Edge's port range 50k-59999?

    I would also recommend to try moving the A/V Edge to another port than the default port 443. On my side my router was not forwarding this port because it was using it for it's own administration web page. You can do this by modifying the port in topology builder, publish the topology and then issue "Invoke-CsManagementStoreReplication" on the Lync server. Then check the edge event log if the A/V server received the new settings and restart it's service to make it listen on the new port.

    Good luck

     


    Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be
    Saturday, December 04, 2010 8:14 AM
  • This seems like a bug to me.. I am noticing the exact same issue on my Edge server. has anyone been able to resolve this yet?
    Wednesday, January 05, 2011 4:39 PM
  • Same here.  We still have a OCS 2007 Edge running for legacy users not moved over to Lync, but we are seeing the same issues with external users.  I thought maybe that once I move everyone over and get rid of the legacy implementation, that things will start working, but based on what I see above, this will not be the case.

    I hope someone find a resolution for this soon. 

    Wednesday, January 05, 2011 5:05 PM
  • We figured it out as it applies to our setup last night. We previously didn't have an internal dns entry for av.involta.com that pointed to the public IP address for it. Because that didn't exist, the front end was trying to talk out directly through the firewall. We also added the av public IP address to the NAT enabled IP address field on the edge server general section. As soon as we published, reran the deployment wizard on both the front end and edge, works like a champ. Hope that helps!
    • Proposed as answer by yeahbuddyia Tuesday, January 11, 2011 5:23 PM
    • Marked as answer by Ben-Shun Zhu Wednesday, January 26, 2011 3:34 AM
    Wednesday, January 05, 2011 5:14 PM
  • Here is the problem, we are using a single FQDN for all services (was hoping to make things simpler).  If I check the topology builder, the FQDN shows correctly for all services as the single one we picked, but the Control Panel does not reflect it for some reason. Our sip address is also our webconf and AV service address.  I wonder if this is why it is not showing up correctly.  We have a dns entry internal for that adddress, but it points to the internal IP, not the external.  I will change it over and see if it helps.

    Wednesday, January 05, 2011 5:38 PM
  • Has anyone found a resolution to this problem?   I am having the same problem and can only get it working if I use TCP, instead of TLS, from my voip gateway to the Lync Front-End/Mediation. 

    Tuesday, January 11, 2011 4:25 PM
  • Hi BOB, did you fix this issue?

    I got the same trouble.

    any suggestion?

    thanks in advance.

     

    Wednesday, January 12, 2011 8:52 PM
  • Yes, yeahbuddyia works with me, his solution above is the one that got us working.

    Bob

    Wednesday, January 12, 2011 10:01 PM
  • Great BoB

    IT´S WORKING

    Thanks a lot.

     

    Wednesday, January 12, 2011 10:34 PM
  • Any Resolution to this problem?

    I've the same problem with my lync edge server.

    Thursday, January 13, 2011 9:35 AM
  • We had the same issue except it presented as "Call failed to establish due to a media connectivity failure where one endpoint is of unknown type " in our deployment all users are external (we are a hosting Lync/OCS) what is really strange is why R2 Front Ends work fine without the internal DNS entry but Lync Servers don't. This has the feeling of a bug or at note in the deployment docs calling this out as a requirement for coexistence. All I did was add av.myucworkspace.com to my internal DNS pointed to the external av IP on the R2 Edge.

    Friday, January 21, 2011 5:29 PM
  • My problem was related to a route issue within the DMZ.  After correcting my route issue all is well.
    Friday, January 21, 2011 6:04 PM
  • Bob , it was any change in your configuration reflected after you add the av  FQDN  ? I mean on the propierties view , the internal FQDN and External av FQDN were populated?

    I have the same issue and I had add the av FQDN on my Host File in the FE. But calls seems to keep failing and no change in my propierties view on my lync console.

    Tanx in advanced

     


    Amado Imperial
    Tuesday, January 25, 2011 9:45 PM
  • Hey ¡ I´ve already fix my problem, my edge server has nat addresses , i´m not using a DMZ , all of the ip´s are internal address. The server is in workgroup , and the NIC used for external services has the register to DNS option  in auto. So my FE was looking for a erroneous IP at the moment of looking the internal interface of my edge server. Fix the the DNS registry, flush  the dns , remove the auto register option ,and all start working great. The edge is behind of an isa server 2006 , seems to work OK , for now. I´ll provide further comments.

    Greets¡

     

    PD

    The view service detail stay on not set for external av an internal fqdn, Weird......

     


    Amado Imperial
    Wednesday, January 26, 2011 9:51 PM
  • Dear All,

    I still get error even register the dns record for Av.domain.com on the Internal DNS.

    how to fix this problem?

     

    Thanks

    Tuesday, March 29, 2011 11:00 AM
  • Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />

     

    AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />

     

    Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.

    in my case there is no Configuredfqdn="" at all, looks like this:

    <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" />

    my entries on the server if I look at topology is also empty.  Any advise?


    Gerhard Wessels Bytes Connect MCITP: Enterprise Messaging Administrator 2010
    Tuesday, May 03, 2011 11:41 AM
  • Internal interface FQDN field: <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="invmaocsvm03" />

     

    AV Edge External FQDN: <Port Owner="urn:component:MediaRelayEdge" Usage="TURNServer" InterfaceSide="External" InterfaceNumber="3" Port="443" Protocol="Tcp" UrlPath="/" AuthorizesRequests="false" ConfiguredFqdn="av.domain.com" />

     

    Previously the ConfiguredFqdn was just empty quotes. This is in the DocItemSet.xml file. Make sure when you re-zip the files, it's just the 2 files and not the folder or the import will not like the file.

    in my case there is no Configuredfqdn="" at all, looks like this:

    <Port Owner="urn:component:AccessEdge" Usage="SipServer" InterfaceSide="Internal" InterfaceNumber="1" Port="5061" Protocol="Mtls" UrlPath="/" AuthorizesRequests="false" />

    my entries on the server if I look at topology is also empty.  Any advise?


    Gerhard Wessels Bytes Connect MCITP: Enterprise Messaging Administrator 2010

    I just spoke to a friend who has a working setup and his file also does not have the internal URL's specified but his setup does work.

     

    I did not have an DNS entry for AV.domain.x so I added first the external IP, which did not work, I then added it with the internal IP which also did not work.

    Any ideas of where I can look here?


    Gerhard Wessels Bytes Connect MCITP: Enterprise Messaging Administrator 2010
    Tuesday, May 03, 2011 1:28 PM
  • Quick note.

    I got fedup with this issue and moved my edge to the extreme edge of our network.

    Now all is working 100%.

    Sip nat Traversal, non sequencal IP's, you tell me.

    Outside of CISCO now, sequencal IP's and all is working.

    I suggest a quick "test" by bypassing the network hardware might save your hours wasted on troubleshooting when it may be network/firewall giving you hastles.


    Gerhard Wessels Bytes Connect MCITP: Enterprise Messaging Administrator 2010
    Wednesday, July 20, 2011 5:04 PM
  • We figured it out as it applies to our setup last night. We previously didn't have an internal dns entry for av.involta.com that pointed to the public IP address for it. Because that didn't exist, the front end was trying to talk out directly through the firewall. We also added the av public IP address to the NAT enabled IP address field on the edge server general section. As soon as we published, reran the deployment wizard on both the front end and edge, works like a champ. Hope that helps!

    i am having the same issue as

    external users are not able make audio/video calls. and i am having confusion with how to import certificate for av services on edge server .. as i have already installed two certificate , 1 from internl CA for edge server and other Public CA certificate having san entries but not av.domain.com as it wasn't required...

    Can u help me ..its urgent..

    Also on internal DNS av.domain.com will be created using public ip or dmz IP which is NaTTed to Public IP

     

    • Edited by Farrukh Qazi Wednesday, August 10, 2011 3:21 PM Mistake in wording
    Wednesday, August 10, 2011 3:19 PM
  • In our organization we ran into a similar problem and we found out the reason being that our Edge Pool was not being associated with anything inside of our topology builder. Make sure that you have all of your pools setup correctly for your edge services.

    http://s12.postimage.org/3le7f4bj1/Jacob_Tech_Dude.png

    Wednesday, August 22, 2012 8:04 PM
  • One more possible solution, which helped in our case. We have Front End and Mediation server co-located in the same server. I have understood, that Mediation Server should automatically use the same Edge with FrontEnd automatically, i.e. it should be ok to have an empty value here:

    PS C:\Users\admin> Get-CsService -MediationServer
    Identity             : MediationServer:LyncPool01.domain.com
    Registrar            : Registrar:LyncPool01.domain.com
    EdgeServer           : EdgeServer:lyncedgetr01.domain.com
    SipServerPort        : 5070

    ...

    Well, at least in our case it was not ok. I added the Edge for Mediation Server manually, and it started to work:

    Set-CsMediationServer -Identity "LyncPool01.domain.com"  -EdgeServer "EdgeServer:lyncedgetr01.domain.com"

    Friday, June 28, 2013 1:57 PM